Skip to main content
Denialbase is built as a HIPAA business associate for healthcare providers (covered entities). This page describes the administrative, physical, and technical safeguards we apply to PHI.

Administrative safeguards

  • Risk analysis performed quarterly and after any material architecture change.
  • Risk register tracks threats with owner, likelihood, impact, and mitigation — first public version targeted for Q2 2026.
  • Sanction policy for workforce members who violate policies.
Denialbase has a designated Security Officer and Privacy Officer responsible for HIPAA compliance. Contact via security@denialbase.com or privacy@denialbase.com.
  • Background checks required for all employees and contractors with production access.
  • Role-based authorization following least-privilege.
  • Offboarding runbook revokes all access within 24 hours of termination.
  • HR security policy and formal onboarding/offboarding documentation: in development, target Q2 2026.
  • HIPAA awareness training on hire and annually thereafter.
  • Developer-specific secure-coding training focused on OWASP Top 10 and common Rails/React pitfalls.
  • Incident response tabletop exercises (planned Q2 2026).
  • We execute BAAs with every covered-entity customer.
  • We require BAAs from every subprocessor that may touch PHI.
  • See BAAs for the request process and current status.
  • Data backup plan — daily automated Cloud SQL backups + continuous WAL for PITR.
  • Disaster recovery plan — documented procedures for backup verification, PITR, full restore, and tabletop.
  • Emergency mode operation — documented degraded-mode procedures.
  • See Disaster recovery.
Periodic technical and non-technical evaluation of HIPAA safeguards, including internal reviews and — once contracted — annual third-party pentest.

Physical safeguards

Denialbase is a cloud-native application. We do not operate our own data centers.

GCP data center controls

Google Cloud is SOC 1/2/3, ISO 27001/27017/27018, and HITRUST certified. Physical controls (biometric access, 24/7 guards, environmental monitoring) are inherited from GCP.

Workstation controls

Denialbase workforce workstations are managed with full-disk encryption, automatic lock, patching enforcement, and EDR agent.

Technical safeguards

  • Unique user identification (UUID primary keys per user).
  • Emergency access procedure documented.
  • Automatic logoff after 30 minutes inactivity.
  • Encryption + decryption — see Encryption.
  • hipaa_audit_logs pipeline records every PHI access with 7-year retention.
  • See Audit logging for details.
  • Database is write-once for audit tables; application cannot update or delete audit rows.
  • All writes to PHI are authenticated and audit-logged.
  • Backups verified (cadence targeted Q2 2026).
  • 2FA required for every account with PHI access (TOTP or passkey).
  • Passwords meet HIPAA-aligned complexity rules (12+ chars, mixed classes).
  • See Authentication & access control.
  • TLS 1.2+ for all external traffic.
  • Private VPC for internal traffic.
  • No PHI ever sent in email bodies.
  • See Network security.

Breach notification

Under §164.400–414 we commit to:
  • Detection — automated alerts on abnormal access patterns (bulk exports, off-hours admin, failed-login spikes).
  • Triage — incident responder acknowledges within 1 hour business-time / 4 hours off-hours.
  • Assessment — probability-of-compromise analysis per §164.402 within 24 hours.
  • Notification — if a breach is confirmed, we notify affected covered-entity customers without unreasonable delay and no later than 60 days after discovery, per §164.410.
  • Documentation — every incident, breach or not, is written up and retained for 6 years.

Data subject rights

Through the covered-entity relationship, patients can exercise their HIPAA rights via their provider. Denialbase supports:
  • Access to PHI in our systems via the provider’s admin panel.
  • Amendment requests routed through the provider.
  • Accounting of disclosures from the hipaa_audit_logs pipeline.
  • Restriction requests via ticket to the covered entity.

Retention

DataRetention
Active account dataWhile the account is active
Integration-synced dataWhile the integration is connected
hipaa_audit_logs7 years
security_audit_logs7 years
Deleted account dataPurged on account deletion (User#permanently_delete!)

Questions

Security questions: security@denialbase.com. Privacy questions: privacy@denialbase.com.